Data Processing Agreement

Last updated: 3/19/2026

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Talentika ("Processor") and the company using the platform ("Controller"). This DPA governs the processing of personal data by the Processor on behalf of the Controller in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed through the service. "Processing" means any operation performed on Personal Data, including collection, storage, modification, retrieval, consultation, use, disclosure, erasure, or destruction. "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

Subject Matter and Duration

The Processor processes Personal Data on behalf of the Controller for the purpose of providing recruitment management services, including career page hosting, job posting management, candidate application processing, interview scheduling, automated email communications, and analytics. The processing continues for the duration of the service agreement and as required by applicable law.

Categories of Data and Data Subjects

The following categories of personal data are processed:

  • Candidate data: name, email address, phone number, CV/resume, cover letter, application form responses, interview schedules, recruiter notes and ratings, tags, GDPR consent records, and uploaded file attachments
  • Recruiter/HR staff data: name, email address, role, activity logs, and notification preferences
  • Career page visitor data: IP addresses, browser information, page views (anonymized where possible)
Processor Obligations

Talentika as Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, audit logging, and regular security assessments
  • Not engage another processor without prior written authorization of the Controller (see Sub-processors section)
  • Assist the Controller in responding to data subject requests (right of access, rectification, erasure, portability) using built-in platform features (data export, account deletion)
  • Notify the Controller without undue delay after becoming aware of a personal data breach
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by applicable law
  • Make available to the Controller all information necessary to demonstrate compliance with GDPR obligations
Sub-processors

The Controller authorizes the use of the following sub-processors:

  • Supabase Inc. - Database, authentication, file storage (EU infrastructure)
  • Vercel Inc. - Application hosting and CDN (global with EU data centers)
  • Resend Inc. - Transactional email delivery
  • OpenAI LLC - AI content generation (used only when AI features are activated by the Controller)
  • Upstash Inc. - Rate limiting and security (processes IP addresses)
  • CV Online - Job board integration (data shared only when integration is enabled by the Controller)

The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. If the Controller objects, the Processor shall make reasonable efforts to provide an alternative or allow the Controller to terminate the affected service.

International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission. The Processor maintains up-to-date records of data transfer mechanisms for each sub-processor.

Security Measures

The Processor implements the following technical and organizational measures:

  • Encryption of data in transit (TLS) and at rest
  • Role-based access controls with company-scoped data isolation (multi-tenancy)
  • Audit logging of sensitive actions (data access, modifications, deletions)
  • Rate limiting to prevent abuse
  • Security headers (CSP, HSTS, X-Frame-Options)
  • Input sanitization and validation to prevent injection attacks
  • Soft deletion with configurable retention periods for candidate data
  • Regular automated backups with point-in-time recovery
Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach. The notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

Data Retention and Deletion

The Processor retains Personal Data in accordance with the Controller's configured retention settings. The Controller can configure automatic candidate data deletion periods. File deletions use a 2-week pending period before permanent removal. Upon termination of the service, the Controller may export all data (JSON, XLSX, or TXT format) before the Processor deletes it within 30 days.

Liability

Each party is liable for damages caused by processing that infringes GDPR. The Processor is liable for damages caused by processing where it has not complied with GDPR obligations specifically directed at processors, or where it has acted outside or contrary to the Controller's lawful instructions.

Contact

For questions about this Data Processing Agreement, please contact us at info@talentika.lt